p / 

OUG-& . 


First DRAFT 5/10/2007 


For submission to IAASS 


Redefining Safety 
Leonard B. Sirota, NASA 


Abstract 

NASA and the Aerospace community have traditionally included both risk to humans and hardware in the 
definition of “Safety”. This leads to miscommunication with the public and can be an impediment to decision 
making. This paper offers two alternative approaches: first, applying the term “safety” only to humans and 
referring to the risk of damage or loss of hardware as an element of “mission success” and second, using 
different notation for each type of “safety”. 

Background 

Merriam Websters Dictionary defines “safety” as: “The quality or condition of being safe; freedom from 
danger, injury, or damage; security.” 

Getting a little more specific, the Military Standard 882D Paragraph 3.2.10 defines safety as: 

“Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of 
equipment or property, or damage to the environment.” 

The current definitions for “safety” used by major space agencies of the world (Japanese, Canadian and 
European Space Agencies) are similar to the Military Standard above encompassing risks to human life, 
damage to or loss of flight or ground assets as well as risks to the environment. 

The European Space Agency has a similar definition but adds even more specificity: Safety is: 

System state where an acceptable level of risk with respect to: 

• fatality, 

• injury or occupational illness, 

• damage to launcher hardware or launch site facilities, 

• damage to an element of an interfacing manned flight system, 

• the main functions of a flight system itself, 

• pollution of the environment, atmosphere or outer space, and 

• damage to public or private property is not exceeded 


NASA’s definition for safety goes even further talking about how you should measure and control safety risks. 
Safety. “Freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of 
equipment or property, or damage to the environment. In a risk-informed context, safety is an overall mission 
and program condition that provides sufficient assurance that accidents will not result from the mission 
execution or program implementation, or, if they occur, their consequences will be mitigated. This assurance is 
established by means of the satisfaction of a combination of deterministic criteria and risk criteria. 

Knowing that “Safety” has three major components we now look at how each is measured. When risk is 
evaluated, each of the three components have separate descriptions for each level of severity. Thus, as can be 



seen in the ESA’s table below for severity of consequences, loss of life, loss of systems, or loss of launch site 
facilities are all considered equally catastrophic. 


In program management trade-offs are made to balance cost, schedule and technical risks. Within the range of 
“safety” there are similar trades to be made between those risks that affect mission success and the risks to life. 
By stating the severity of consequences ratings for each of the different risk categories the values for the trades 
are quantified. Thus, it is being demonstrated that the impact to a space agency is equal if you reduce the risk to 
a person from loss of life to temporary but not life threatening disability as it is to reduce the loss of launch site 
facilities to major damage to ground facilities. 


This aggregation of various risks within the same category leaves us with less than a precise understanding of 
the implications of these risks. Risks are rated by their potential consequences (hazards) and likelihood of 
occurrence. In order to communicate the level of risks within a program the risks are then plotted on a matrix 
where the highest consequence and likelihood risks are painted red, the lowest painted green with yellow for 
those in between. Each of the consequence levels are applied to all three types of “safety” with specific 
predetermined criteria. Several examples of these criteria are included in this paper. Looking at just the worst 
consequence, in the Space Shuttle Program loss of life, loss of program or catastrophic environmental impact 
are all at level “5”. Each of these criteria are of extreme proportion and to be avoided. The European Space 
Agency (ESA) uses loss of life as the standard for humans and loss of launch site facilities for assets as the 
criteria for the highest consequence category. Since both human life and assets are parts of “safety” we come to 
the conclusion that loss of a launch facility is equal to loss of life. I contend that we do not see these as equal 
and would not be willing to consciously trade a life to save a launch pad, all other things being equal. In the 
decision process for flight operations we do whatever we can to save lives, regardless of the cost to assets. 

Thus, it is misleading to show both of these types of risks as equal and undistinguished risks on a safety risk 
matrix. 

Then using only this definition for evaluating risks it appears that we equate loss of life with loss of an specified 
dollar value of ground support equipment. Clearly we do not make such trades but, we need to use better tools 
to communicate the fact that these are two different categories of risk requiring separate evaluation. Therefore, 

I am proposing that, when talking about safety risks we clarify our meaning by separating the safety risks into 
three categories: risks to human life (Sh), risk to flight or ground assets (Sa), or risk to the environment (Se). 
This permits us to better understand and communicate the rationale and impact of risk decisions. In this paper 
we will primarily address the S H and the S A . 


NASA performs a Safety and Mission Success Review prior to all significant NASA launches. I he 
central feature of these reviews is an assessment of risks to safety and mission success as displayed on 
a matrices with the variables on the axes: Consequence and Likelihood. The Consequences for the 
safety matrix are based on the definition of “Safety” as follows: 



ace Shuttle Proaram Risk Manaaement Scorecard 




















































The European Space Agency uses the following criteria to rate the severity of consequences 


The severity of potential consequences of identified hazardous events shall 
categorized as shown in Table 1: 


be 


Table 1: Severity of consequences 

+ +-- 


Severity 

Catastrophic 


Critical 


Major 


Minor or 
Negligible 


Level 

1 


- + 


Dependability 


Complete loss of 
mission 


Major mission 
degradation 


-+- 


Minor mission 
degradation or 
any other effect 


Safety 


Loss of life, 
life-threatening or 
permanently disabling 
injury or occupational 
illness ; 


Loss of system; 


Loss of an interfacing 
manned flight system; 


Loss of launch site 
facilities ; 


Severe detrimental 
environmental effects. 


Temporarily disabling 
but not 

life-threatening 
injury, or temporary 
occupational illness; 


Major damage to 
interfacing flight 
system; 


Major damage to ground 
facilities ; 


Major damage to public 
or private property; 


Major detrimental 
environmental effects. 


Note: The 



[ severity I 

1 

1 

| category is | 

1 

! 

| the highest | 

1 

1 

| severity 

1 

1 

I category of 1 

1 

i 

| the function | 

I 

i 

I associated 

! 

1 

| with the j 

1 

I 

i system or | 

1 

1 

| system 1 

1 

1 

| component . | 

1 + 

1 

+ 

1 

+ 


Again, these two tables reflect a very similar view in favor of aggregating the various aspects of safety. 

It is my contention that the safety risk trade above is not equal and should not be shown as equal on the same 
risk matrix without clearly identifying which type of risk is being shown. With equal likelihood, a potentially 
catastrophic risk to facilities or flight hardware may be acceptable for launch and the decision reasonably 
straight forward, but a potentially catastrophic risk to humans would be a more difficult decision to make harder 
to accept and even harder to explain to the public. Therefore, we need to always be clear about what type of 
safety risk we are evaluating and portraying. 


Impact of Current Definition on Decision Process and Communication 


We have risk matrices that show relative magnitude and ranking of safety risks. We use this tool in program 
reviews and as an aid to program management to focus on the most critical issues. When we lump together 
risks to assets with risks to humans on the same matrix without discriminating notations we are oversimplifying 
the circumstances and complicating the decision process. Although a risk to flight crew and a risk to ground 
support equipment may have the same rating on the safety matrix our reaction to them is not equal. Clearly we 
hold the value of life to be higher than hardware assets and will make decisions with this in mind. 

An example to clarify the point: 

Before the Shuttle STS- 1 14 launch it was determined that due to debris concerns the risk for the mission was 
considered to be “red”. This was based on the concern for loss of the Orbiter. For this reason the NASA Chief, 
Safety and Mission Assurance and the NASA Chief Engineer voted not to launch. This recommendation was 
overridden by the NASA Administrator because there were really two risks imbedded in the one point on the 
matrix. First there was the risk to the flight hardware which could suffer a catastrophic event due to damage 
incurred on ascent. The second risk was to the crew. Because there was a plan in place to support the crew on 
the International Space Station until a Launch on Need rescue vehicle could launched to return them to Earth 
their risk was in the “yellow”. With this rationale the Chief, SMA and the Chief Engineer chose not to take a 
dissenting opinion forward again. 



Despite the reasonable rationale for the decision it was difficult to communicate to the public because all they 
saw was a “red” for safety. 

Currently Used Alternative Approach 

The International Space Station (ISS) program uses different scales for rating risk depending on the application. 
I would like to call your attention to the risk rating card (chart x below) which is used to compare the relative 
risks for the overall program. In this instance the definition used for safety risks relate only to human life. All 
impacts to flight systems are considered Mission Success risks. With this narrow focus for “safety it is now 
easier to rapidly distinguish the risks and impacts of decision on humans versus hardware. 

Analysis 

Currently the different types of safety risks, each measured with a different set of criteria, are placed on the 
same matrix without clearly indicating which scale was the basis for the evaluation (see table taken 

from NPR ). The ones associated with assets only affect cost, schedule and mission success which do 

not directly impact human life. The second category, risks to the environment also may affect cost, schedule 
and mission success but, can, to varying degrees; have an impact on humans beyond the scope of the mission 
but, short of directly and immediately impacting human life. 


There is little risk of choosing the wrong course of action due to the aggregation of the different types of risk on 
the same matrix. Decisions for action are not based solely on a risk matrix but with careful review analysis and 
understanding of the technical basis for the risks and the impact of each possible option. 


The risks are in communication to the public and to other members of the aerospace community where little 
supporting detail comes with the graphic representations of risk. They only see the “X” for safety in the red 
box. 

There are several options available to improve our communication. 

1 . Leave the matrices and rating systems as they are but be more aware of the need to differentiate between 
risks to human safety versus assets or environmental safety. When speaking about these risks always 
clarify what is at risk. In this option the matrices do not speak for themselves and must be accompanied 
by verbal or written narrative giving further explanation of the risk ratings. 

2. Always use a separate matrix to display risks to humans. There is little room for misinterpretation with 
this option, but it does add more individual matrices to any evaluation of risks and, based on the more 
commonly used broader definition of “safety”, it makes it more difficult to get a quick snapshot of all 
the most critical issues that need to be addressed. 

3. Use subscripts to identify the various types of risks portrayed on the matrix (S H , S A , S E ). This approach 
captures the important distinction between the various types of safety risk in the same simple matrix 
fonnat while still displaying all the various “safety’ risks on the same page. The only minor downside 
to this approach is the addition of more detail to what may be an already cluttered chart. 



It is always going to be necessary for people dealing with these risks and communicating them to each other and 
the public to be clear about what types of risk are being discussed. But, this is not sufficient. The charts that 
are presented and the records maintained for aerospace activities need to reflect these distinctions and not solely 
rely on the oral presentation to convey the differences in these safety risks. Either option two or three above 
can be made to work 



/SS PROGRAM RISK SCORECARD 















































References 


NASA NPR 8715. 3A NASA General Safety Program Requirements - APPENDIX B. Glossary of Safety and 
Risk Management Terms 

SSP 50175 Rev B Annex, A Page 1 of 2 


Webster’s New twentieth Century Dictionary of the English Language Unabridged - second edition - 1955 



